ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

EDR events sent to Splunk contain duplicate field data

book

Article ID: 213505

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

While reviewing Symantec Endpoint Detection and Response (SEDR) events in Splunk it is noted that several fields contain duplicated data similar to the example below.

Cause

This behavior is by design.

Environment

Release :

Component :

Resolution

In order to normalize data sent to Splunk, the SEDR appliance was designed to utilize the Splunk CIM.  To permit troubleshooting of event transformations, the SEDR appliance provides both the raw event and normalized event data to Splunk.

Additional Information

Why CIM Exists:
https://docs.splunk.com/Documentation/CIM/4.18.1/User/Overview#Why_the_CIM_exists

Fields for Intrusion Detection event datasets
https://docs.splunk.com/Documentation/CIM/4.18.1/User/IntrusionDetection#Fields_for_Intrusion_Detection_event_datasets

Attachments